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Agenda 


Address Compliance objectives 
in Unified way 


Configuration and File Integrity Assessment 


Qualys Compliance solutions with demo 
Policy Compliance 
Out-of-band Configuration Assessment 
File Integrity Monitoring 


Security Assessment Questionnaire 


Discussion, Q&A 


Must Haves for Compliance 


& Security Programs 


Inventory System and Software 
(Authorized, not EOLed) 


Process and Vendor Risk 
Security Configurations 


Continuous Vulnerability 
Management 


Review Rights & Permissions 


Monitoring of Critical Files 


0606 


TOP 5 CIS 
CONTROLS 


SY 1: 


Inventory of Authorized 
and Unauthorized Devices. 


CSE 2: 


Inventory of Authorized 
and Unauthorized 
Software. 


NY HI 


Secure Configurations for 
Hardware and Software on 
Mobile Devices, Laptops, 
Workstations and Servers. 


CSC 4: 


Continuous Vulnerability 
Assessment and 
Remediation. 


CSC 5: 


Controlled Use of 
Administrative Privileges. 
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DEMO 


Unified Compliance Dashboard - 
Example of ISO Compliance 
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Policy Compliance 


Continuous Configuration and Compliance Management 


Assessment Beyond 
Vulnerabilities 


CVE based vulnerability 
Known Asset based 
Ad-hoc Patching 


Configuration/Hardening 
assessment 

Hardening controls 
assessment 

Track Certificates, EOL/EOS 
per host 


Auto-discover unknown 
software/apps 

Track what critical objects 
are changing 

Vendor risk assessment 
Compliance a bi-product 


Automated Patch 
management 
Automated Config 
failure remediation 
Continuous 
Middleware 
discovery & 
assessment 


MongoDB - We don't track 
misconfigurations! 

MongoDB server leaks data of 

nearly 700,000 Amex India customers 


Everyone is loving Docker! I don't 
know where they're running. 


ElasticSearch - We have this in our 
environment? 


Why 3,000+ Customers Use 
Qualys Policy Compliance 


Data collection options through multiple sensors 


Technology and content coverage 


Platform features: Regulatory Reporting, APIs, Trending 


Discovery and Remediation 
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Compliance Delivered Through 
Multiple Sensors 


Physical 


Legacy data centers 


Corporate 
infrastructure 


Continuous security 


and compliance 
scanning 


© 


Virtual 


Private cloud 
infrastructure 


Virtualized 
Infrastructure 


Continuous security 
and compliance 
scanning 


© 


Cloud/Container 


Commercial laaS & 
PaaS clouds 


Pre-certified in market 
place 


Fully automated with 
API orchestration 


Continuous security 
and compliance 
scanning 


© 


Cloud Agents 


Light weight, multi- 
platform 


On premise, elastic 
cloud & endpoints 


Real-time data 
collection 


Continuous evaluation 
on platform for 
security and 
compliance 


Out of band 


Push asset and config 
data instead of Qualys 


pulling 


Use same signatures 


for evaluating this 
data 


[e] 


API 


Integration with Threat 
Intel feeds 


CMDB Integration 


Log connectors 
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Technology Coverage 


Network Devices/Databases 

Middleware Technologies 

Operating Systems 

Emerging Technologies/Engineering Technologies 


Containerized Technologies 


Inventory/Discovery Information 


© a> oracle @ RE @ 
7 LINUX L w openSUSE 
hat Centos: Enterpnss 


debian 


AA 14, z 
5” @ Mi ux E vmware 
eon WY solaris ® MacOS 


ubuntu 


a 


ORACLE SYBASE re 


Isco 4M worms 


cassandra a =. $ JUNIPer @Q ceph 


2 elastic kaa SS WB redis 
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Control & Compliance Content Coverage 


Easy customization of values through UI 
Over 140 versions of 75+ technologies 
270+ CIS policies, 70+ best practice policies 
20+ mandates for out of box reporting 


Experienced Team, contributing/Authoring the CIS 
benchmarks 


No direct importing vendor/guideline provided commands 
(Optimize for scalability, Error handling, Default values) 
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Policy Compliance Feature Advantages 


Customization 
Database Custom scripts/controls 
User Defined controls (UDCs) - Hash-based FIM, Shares, Password audits, WMI, File content 


Discovery 
Auto-discovery of middleware technologies for configuration and vulnerability assessment 


Reporting 


Compliance trending, Custom dashboard and API/Integration support 


Remediation 
Automated remediation for config failure 
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New PC UI: Asset Compliance & Control 


Compliance Views 
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Policy Compliance DASHBOARD 


POLICIES SCANS REPORTS EXCEPTIONS ASSETS USERS 205 


Reports 


Controls Mandate.name like "sfedramp mod%' AND asset.tagName='USproduction' AND control.status='failed’ 
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Policy Compliance 


301 


Policies 


Displey. (Uniied EIT Asse 


CONTROL COMPLIANCE 


ee 42", 19 = 
@ Failing 175 0 


TRENDING 


POSTURE Janon 
Pass 301K Asset 
Failed 982 
en ai Actions v 3 0 1 
STATUS cio STATEMENT CRITICALITY ASSETS Display: | Unified Control | Asset | 
CRITICALITY ssets 
Ayer) Fale) 5572 Current list of ‘Installed pateches from the manufacturer’ rs 348 ASSET COMPLIANCE 
(Microsoft) 
982 
ti 89 
roe eee s Pa 5240 Status of the 'Devices: Allowed to format and eject [ Critica 732 @ Passing 
removable media’ setting (NTFS formatted devices) @ Falling 
MANDATE TYPE 
25 c liano 155 
i Failed 1052 Current list of ORACLE accounts having access to the | critical | 196 napa ga 95 in 
a a m 'PERSTAT.STATS$SQL_SUMMARY' table SCA re 
ST-SpecialPublicatior 
pple = LABELS ASSET NAME 
HITRUST m Faa 1059 Status of the ‘Indexing’ service [ critical 241 re a 
ae Vendor 5 emily-pe 
Qualys 23 1 7 
DISA STIG 22 
Mandate 19 


10.10.35.242 
0 


10.10.35.242 


LOCKED STATUS 

Unlocked 154 
by User 131 
at Import 86 0.10.3 


Lo 


com-rhel70x64.vuln.qa.qualys.com 


Locke 


STATUS 10.10.31.129 
Active 10 10 29 
Inactive 291 


DASHBOARD POLICIES 


SCANS REPORTS 


asset.tagName='USproduction’ 


ee 81% 


243 
se 


05 
Red Hat Enterprise Linux Server 


7.0 


AIX 5.x / AIX 6.x 


Mac OS X 10.13.6 


Microsoft Windows 10 Enterprise 
10.0.15063 N/A Build 15063 


EXCEPTIONS 


ASSETS 


TRENDING 


Jan 01 


TRACKING 


Agent 


Agent 


Agent 


Agent 


USERS 


LAST SCANNED 


Jun 02, 2018 


Mar 21, 2018 


May 03, 2018 


Oct 22,2018 


CONTROLS 


216 


TODAY 


COMPLIANCE % 


Top 4/4 US Banks want to use custom 


LA alys. 


DB controls 


Define Database Query (read only), 
Customizable by DB Version 


Provide static information 


Set a query to return tabular data to 


evaluate (which can include evidence) 


Use Policy Editor to define Expected value 


from the returned Query result to 
Pass/Fail a database control 


@ General informari on Technology 


Row Selection 
m EN FE 


icroso! 


Evaluation Criteria [Matches Column Criteria >] 


Matches 


Een ER pan E | 


[oue Entry ] [oue Entry ] 
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DEMO 


Policy Compliance | 
DB custom control building, contr 
view 


Feature Roadmap 


Q2 2019 


Database UDC support for Oracle, MSSQL and MongoDB 
Non-root ‘scanning’ for UDCs (scanner) - File content, 
Permissions/ownership 
Auto-discovery and Auto auth record support for Sybase, 
Tomcat, JBOSS, Websphere 
PC Data in Elastic Clugter for data querying 


Q3 2019 


Auto-remediation support through agent 
Middleware support through agent 
(Qweb, Portal, Agents) 
Support for ‘running commands’ UDC 


Q2 2019 


File Content Search Windows UDC on Agent 
‘Scan by Policy’ support through Agents 
Inventory and discovery data for ITAM 
Backend work for Middleware tech (Web servers) 


support through Agents 
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Out-of-band Configuration 
Assessment (OCA) 


Make your Inaccessible, Sensitive Assets visible to your 
Vulnerability and Compliance Program 


Two of the Biggest Banks in Asia 


using OCA 


Sensitive Systems/Regulated Devices 


Legacy Systems 
Highly locked down systems 


Network Appliances 


Current Options: 
Manual - screenshots, Ad-hoc scripts 
Limited software-based support 
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Out-of-Band Configuration 


Assessment (OCA) 
add-on to VM/PC 


© Qualys. Enterprise 
Out-of-Band Config Assessment 


Use/create your scripts to 
collect and push the data 


Support for Inventory, 
Policy Compliance and 


V | b . | . t n t Brocade Switche 2 7 Edit 
U n e ra l l y / NS se S S I | ) e Pa ana ass 74.217.73.201 WebSphere pelete COMPUTERNAME.1 
a a 168.255.255 © FireEye CMS 8.x COMPUTERNAME.1 
PI tf t h t Felag “ 74.217.73.201 ® 0Cx85107.1.02 = COMPUTERNAME1 ; 
d i t k p th ` d t 74.217.73.201 ab FireEyeCMS8x | COMPUTERNAMET Network-long-nam... Apr 11,2018 
5 74.217.73.201 = WebSphere Liberty 9.0 COMPUTERNAME-1 PUNE Apr 11,2018 
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4 Easy steps to push data to Qualys 
(API/Ul) 


Provision the asset 
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Out-of-Band Configuration Assessment ASSETS TECHNOLOGIES 


Assets 


Upload the Vulnerability and a 
Configuration Data rolled 11001 


in.qua-hq4-fir.com ® Fabrics a 10.10.11.43 November 12, 2018 
03df1879-458c-495d-873d-7ab2daa34045 
TECHNOLOGY VERSION : Ea 
Fabric 8 3 qlyc-svc5.eng.com ® Data Domain OS 5 Ga 10.10.10.15 November 12, 2018 
u a YS C re a e S a g e n J a S e FireEye CMS 7 3 08ab9647-3adf-4f9d-9238-5ec040877bc0 
Data Domain OS 5 1 B 5 
Fabric 7 1 eave eom P Fabric 8 10.10.11.42 November 12, 2018 
ata sna p snot San VEG 5 49d96d3-ccea-ta7e-9e04-d1587131945e 
FireEye CMS 8 1 mufg-sve43.eng.com w= Juniper IVE 8 a 10.10.10.14 November 12, 2018 
Show less e4ef8e1e-99b6-4b84-920d-05b7a317a07¢ 
mufg-svc40.eng.com © FireEye CMS7 10.10.10.12 November 12, 2018 
cf85614d-f86a-4019-ba05-ad12993a6fda 
. œ 
Use Vuln IDs/Controls-policies E NAN sarono Novenber 12,2018 
ec94802e-e01 5-483e-bc09-1b8525032e56 


a 


z i 
in.qua-hq2-fir.com $ Fabrics c 10.10.11.41 November 12, 2018 
O r e p O r e n e ra | O n {9864868-c652-4222-8400-82bc459706f4 
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DEMO 
Out-of-Band Configuration Asses 
(OCA) 


Technology Support 


v1.0 release - March - 2019 Future Priorities 


FireEye Appliances AS/400 

Storage Devices Cisco Meraki 

Brocade DCX Switch Sonic Firewall 

Acme Packet Net Aruba WLC 

Imperva Firewall Dell EMC Data Domain 
Cisco Wireless Lan Controller 7 Oracle Tape Library 
Cisco UCS Server Arista 

NetApp OntTap 

Juniper IVE 


Tandem - Hp Guard 
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Availability & Roadmap 


December 2018 May 2019 
v.0.9 release for limited customers Extend Support to VM 
API-based Asset and Config Data Support OCA for AS400 compliance 


Upload for PC 


© ® © 6 
March 2019 Q2 2019 
Possible SDK route 
Ul-based Data Upload for PC Expand Platform Coverage 
Bulk asset data upload (CSV) CMDB Integration 


Integration with AssetView FIM Integration 
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File Integrity Monitoring 


Real-time Monitor and manage critical file changes 


Traditional FIM 
challenges 


Expensive Infrastructure to deploy and 
maintain 


Lack of scalable solution with quick 
time to value 


Depth of monitoring & High volume of 
changes 


Requires intelligence about the 
changes 


Solution in silo, another 
agent/platform/Asset management 


BG. 6... 


Agent Modules Tags 


| ve | Cloud / 
cs { OPeral 


Gs Cloud / 
| OPeral 


as ay Cloud / 
{ OPerat 


[vu | [Fim Cloud / 
cs | OPeral 
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100+ Customers have chosen 
Qualys FIM within its first year 


< View Details: ip-172-30-1-153.us-west-2.compute.internal 


Built on the same Qualys Cloud Agent 
Real-time detection for High Volume, sel 
High Scale 


Nothing to install, Easy to configure, == “=O 
Quick win 

pail about the changes _ era a ‘ai 
Flexible APIs for external Integration or. eee, e re 
Elastic query based automated | a = = wana 
Incident management and Alerting** ss UUs a 
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How Top Credit reporting agency uses 


Qualys FIM 


Started quickly with ‘out-of-the-box’ monitoring 
profiles 


Centrally managing events and creating Incidents 


Analyzing file changes with metadata 
(Correlate, track and Alert for change incidents**) 


Searching, Filtering, Tracking through Elastic 
Queries and dashboards 


Incident Reports for auditors 


FIM APIs for Integration with centralized DWH 


FIM Incident Report 


Incident Name 
Status 
quays_dr 


Comments 


Disposition 


EVENTS BY SEVERITY 


@5 @4 
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What Customers are 


Monitoring 


Critical Operating System Binaries 
OS and Application Configuration Files 


Content, such as Web source, custom 


critical files 


Permissions/Security Attributes (such 


as on Database Stores, log files) 


Security Data (Logs, Folder Audit 
Settings) 
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View Details: TASKHOST.EXE-954DD3D2.pf 


Event Alert: File Security 


Actions ¥ 


vious 


Next 


Grub.conf- 
Changed on: 11 minutes ago March 11, 2017 at 102022 AM 


File Security By user: .\KCtech 


File path: \Device\HarddiskVolume2\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327- 


5P-0.C7483456-A289-439d-8115-601632D005A0 
by process: - 


Monitoring Profile: Monitoring Profile: Windows Profile - PCI 


Sections and Rules: Section 1; Rulename.herel © 
Rulename.here2 


DEMO 


File Integrity Monitoring (FI 


4 


FIM Roadmap: Agent Priorities 


Q2/Q3 2019 


Windows Registry Detection 
Network Device Configurations 
File content change comparison 
AuditD lockdown workarounds 
Process Tracking 


Future Consideration 
AIX 7.x 

Debian 7+ 

MacOS 

Solaris 


*Roadmap.items are future looking; timingyand specifications may change 
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FIM Roadmap: Features 


01 2019 Q2 2019 
FIM API 2.1 (May) Q3 2019 
or an Incident Management UI & Workflow Sein E cae ated 
Incident-Event List API Improvements ow File Tex ange Details (File change 


Event Query API 
FIM Backend 1.1.2 
Activation & Profile/Manifest 
Assignment Improvements 


FIM Management API features 
External Change Control Integration (Splunk) 
Expand Reporting - Template based 
Customizable Alerting and Notification, 


comparisons) 
Monitoring Profile Import/Export 
Streaming Event API 
Full-fledged Patch Reconciliation for automated 
Incident management 


Incident Correlation 


April 2019 
Agent Health UI Improvements 
Tune from Event View 
Initial Reporting - Change Incident Report 
Monitoring Profile Editor Phase || 
New Monitoring Baseline Profiles 
(Middleware) 


2.0 
Automated Incident Correlation 
Basic Alerting and Notification 


a o 
| 


Q2 2019 * Roadmap items are future 
2.2 (June) looking; timing and specifications 
Process Whitelisting (For Patch process) may change 


Dashboard Expansion & 
AssetView Integration 


Windows Registry Change Detection 
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Security Assessment 
Questionnaire 


Automate the Vendor Risk Management (VRM) on the same 
platform 


Agenda 


How SAQ compliments Qualys technical 
security Apps 

Internal Procedural Controls Assessment 
Vendor Control & Risk Assessment 
Content support 


Demo 


Roadmap 


Vendor Risk Challenges for a US 
Pharma company 


Extend the Perimeter to include vendors 
- security & vulnerability data collection 


sOUnSE OF MMGA | RABREATION®. pre acH ORIGIN 
Vendor Profiling based on the services, © rome | V Bach Paes 
Vendor Assessment based on criticality N | A 
cm ° / 
Vendor control data aggregation with Google | va3ra J 
Internal security and compliance data | A 
F- -Mobile | from 


Automated workflow, operational 
dashboards 
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How they are addressing vendor risk 
through SAQ 


Vendors Profiling — Defines 
Criticality based on Service 
areas/Cybersecurity domains 


Uses out-of-the-box 
content, including 
regional mandates 


Easy online workflow for the 
vendors, receives 
reminders, alerts and status 


y 
f= 


Assesses vendors per their 
risk profile, in a 
standardized (SIG) manner 


Dashboards the risk posed 
by the highly critical 
vendors and ranks them 
per risk 


Consolidates the vendor 
control posture with Internal 
procedural & technical 
compliance controls 
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Rich Template Library 


Industry 


PCI DSS SAQ A, B, C, D 
IT for SOX 

GLBA 

BASEL 3 (IT) 

HIPAA 

HITRUST 

NERC CIP v5 

SWIFT 

NERC CIP 


Popular Standards 


ISO 2700 ISMS 
NIST CSF 

COBIT 5 

FedRAMP 

COSO 

ITIL 

CIS TOP 20 Controls 


Shared Assessment (SIG) 
*- vendor assessment 


Regional 


GDPR multiple templates 
Abu Dhabi Info Sec Standards 
ANSSI (France) 

MAS IBTRM (Singapore) 

NESA 

BSI Germany 

ISM (Australia) 

UK Data Protection 


RBI Guidelines (India) 
California Privacy** 


Canada Data Protection 
2018** 


Technical Services 


CSA CAIQ v3.0.1 

CSA CCM v3.0.1 

Vendor Security for 
Hosting Service Provider 
AWS ** 


Procedural controls for 
cloud, containers** 
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Content Updates 


- Shared Assessment (SIG) 2019 
- HiTRUST updates 2018 


- NCSC- Basic Cyber Security Controls 
(Saudi Arabia) 


- PCI-DSS SAQs version 3.2 


Templates : A, A-EP, B,C,C-VT,D Service 
Provider, D Merchant, P2PE 


- PCI-DSS SAQs version 3.2.1 
Templates : A, A-EP, B,C,C-VT,D Service 


Provider, D Merchant, P2PE | . l | 
O lle 
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DEMO 
Security Assessment Question 


4 


SAQ Roadmap 


Q4 2018 August 2019 
Vendor-driven workflows to cater to customers 
New role as Risk Analyst 
Vendor Bulk upload 
Campaign Scheduler 
- Risk register workflow 


SAQ Users/roles/privileges 
Question Bank 
Create template from library templates 
New campaign UI Risk scoring 


Q2 201 9 * Roadmap items are future 


looking; timing and specifications 
Vendor Risk Management workflows may change 
Vendor Onboarding, Vendor Risk Profiling 
Automated assessment based on Vendor profiles/onboarding 
Compare vendors based on risk scores 
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Unique advantages of the Qualys 


Compliance solutions 


= Single Agent, Broad technology On Premise, 
“OO Single platform © coverage with ©] Cloud, Containerized 
Industry-leading 
For all compliance Read-to-use 
modules content 
@ Auto-discovery of = Create & Run your API and Integration 
technologies for E own controls, 
metadata templates, profiles 


Pa 


Out of box Compliance 
Reporting 


(ISO, NIST, PCI, ADSIC, NESA 
and more) 


Vendor Risk Management 
on same platform 


© Qualys 
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Thank You 


Shailesh Athalye 
sathalye@qualys.com 


